Several vulnerabilities have been discovered in symfony, a framework tocreate websites and web applications. The Common Vulnerabilities andExposures project identifies the following problems:

CVE-2015-8124

The RedTeam Pentesting GmbH team discovered a session fixation vulnerability within the "Remember Me" login feature, allowing an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker.

CVE-2015-8125

Several potential remote timing attack vulnerabilities were discovered in classes from the Symfony Security component and in the legacy CSRF implementation from the Symfony Form component.

For the stable distribution (jessie), these problems have been fixed inversion 2.3.21+dfsg-4+deb8u2.

For the unstable distribution (sid), these problems have been fixed inversion 2.7.7+dfsg-1.

We recommend that you upgrade your symfony packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/